Hi,
I’ve picked up ConcreteCMS again and it seems that I have a problem with using permissions.
I have several usergroups, for now we will use GROUP1 and GROUP2.
I have created a single page (programmatically) and set the view_page to INCLUDE GROUP1 and EXCLUDE GROUP2
When checking the permissions on the page in the dashboard, the permissions are set correctly.
Now I have a user that is both in GROUP1 and GROUP2. I was expecting that the user would have had access to this page, because it is in GROUP1. Unfortunately, the access is denied. Debugging tells me that this user is also in the GUEST group, and because this is the “last” group being handled, the user has been denied access.
I;ve checked the code in \Concrete\Core\Permission\Access\Access.php and debugged the funtion:
/**
* @param \Concrete\Core\Permission\Access\Entity\Entity[] $accessEntities
*
* @return bool
*/
public function validateAccessEntities($accessEntities)
{
$valid = false;
$accessEntities = $this->validateAndFilterAccessEntities($accessEntities);
$list = $this->getAccessListItems(PermissionKey::ACCESS_TYPE_ALL, $accessEntities);
$list = PermissionDuration::filterByActive($list);
foreach ($list as $l) {
switch ($l->getAccessType()) {
case PermissionKey::ACCESS_TYPE_INCLUDE:
$valid = true;
break;
case PermissionKey::ACCESS_TYPE_EXCLUDE:
$valid = false;
break;
}
}
return $valid;
}
With this function, only the LAST access entity is being used. And in my case, that is GROUP2; excluding this user.
Shouldn’t this be done different? Always deny ($valid = false) and check $l in the foreach loop. When this is INCLUDE, $valid should be true and we can break out of the foreach.
/**
* @param \Concrete\Core\Permission\Access\Entity\Entity[] $accessEntities
*
* @return bool
*/
public function validateAccessEntities($accessEntities)
{
$valid = false;
$accessEntities = $this->validateAndFilterAccessEntities($accessEntities);
$list = $this->getAccessListItems(PermissionKey::ACCESS_TYPE_ALL, $accessEntities);
$list = PermissionDuration::filterByActive($list);
foreach ($list as $l) {
if ($l->getAccessType() === PermissionKey::ACCESS_TYPE_INCLUDE) {
// User has access.
$valid = true;
// We now know that user has access, that will do.
break;
}
}
return $valid;
}
I’m using 8.5.5.
May be I am missing something?
With kind regards,
Sven.